CVE Tools

CVE-2026-0300

PAN-OS: Unauthenticated user initiated Buffer Overflow Vulnerability in User-ID™ Authentication Portal

Published: May 6, 2026Updated: May 12, 2026 Sources: CVE List NVD BDU csafCWE-787

Description

A buffer overflow vulnerability in the User-ID™ Authentication Portal (aka Captive Portal) service of Palo Alto Networks PAN-OS software allows an unauthenticated attacker to execute arbitrary code with root privileges on the PA-Series and VM-Series firewalls by sending specially crafted packets. The risk of this issue is greatly reduced if you secure access to the User-ID™ Authentication Portal per the best practice guidelines https://knowledgebase.paloaltonetworks.com/KCSArticleDetail by restricting access to only trusted internal IP addresses. Prisma Access, Cloud NGFW and Panorama appliances are not impacted by this vulnerability.

In plain language

AI Act now

CVE-2026-0300 is a critical, likely-to-be-exploited flaw in the PAN-OS User-ID™ (Captive/Captive) Authentication Portal that could let an unauthenticated attacker run code as root on affected Palo Alto Networks firewalls—if you run one of those affected PAN-OS appliances, act now.

What to do

  1. Check with your IT/network admin whether your PA-Series or VM-Series running PAN-OS has the User-ID™ Authentication Portal (Captive Portal) exposed to networks beyond your trusted internal IPs.
  2. Patch immediately to the fixed PAN-OS version(s) your vendor provides for CVE-2026-0300.
  3. If you can’t patch immediately, restrict access to the User-ID™ Authentication Portal to only trusted internal IP addresses per Palo Alto Networks best practices.

CVSS Vector Breakdown

AV:NAC:LPR:NUI:NS:UC:HI:HA:H
Exploitability
AV:NAttack Vector
Network
AC:LAttack Complexity
Low
PR:NPrivileges Required
None
UI:NUser Interaction
None
Scope
S:UScope
Unchanged
Impact
C:HConfidentiality
High
I:HIntegrity
High
A:HAvailability
High

Weaknesses

Affected Products

Palo Alto Networks Inc.
commercial·USaka paloaltonetworks, palo alto networks, panw, pan inc.
and 1 more affected products View all →

Exploitability

CISA Known Exploited Vulnerability
Added to KEV:May 6, 2026
Remediation due:May 9, 2026

Required action: Apply mitigations per vendor instructions, follow applicable BOD 22-01 guidance for cloud services, or discontinue use of the product if mitigations are unavailable. Until the vendor releases an official fix, the following workaround should be implemented: - Restrict User-ID Authentication Portal access to only trusted zones. - Disable User-ID Authentication Portal if not required. 5/13/2026: Palo Alto has released a variety of patches. If these are relevant to your environment, please apply the designated patch.

0 exploit sources identified

Exploit details including PoC links, Metasploit modules, and scanner templates are available after registration.

View exploit details
Official Patch Available
Workaround Available

Attack Graph

Products CVE Techniques Tactics

Click technique nodes for MITRE ATT&CK details · drag to pan · Ctrl/ + scroll to zoom, or go fullscreen.

MITRE ATT&CK

2 techniques
Initial Access
Privilege Escalation
View detailed technique mapping

References

and 17 more references View all →
6

Unlock Complete Vulnerability Intelligence

Get the full picture for CVE-2026-0300 and every CVE in our database. Create a free account — no credit card required.

Create Free Account
Plain-language analysis
Impact assessment and exploitation scenario in plain English
Attack graph visualization
Interactive attack path and kill chain mapping
Exploit details & PoC links
ExploitDB, Metasploit, GitHub PoCs with direct links
Nuclei scanner templates
Ready-to-use vulnerability scanner templates
Full remediation guide
Patch instructions, workarounds, and compliance impact
Interactive AI chat
Ask questions about this vulnerability in natural language
Related vulnerabilities
Semantically similar CVEs and attack patterns
REST API & MCP access
Integrate vulnerability data into your workflows